34 comments

[ 44.5 ms ] story [ 147 ms ] thread
Same for Natwest.

I believe the Channel 4 on Demand media player also does (did?) this.

Likely the same for FirstDirect. I couldn't get the app set up on my rooted Nexus despite going through process with their support desk. I didn't discuss it with them, just asked for a key fob code generator instead.
Perhaps someone should make a list of applications or services which are hostile towards rooted/jailbroken devices. Maybe effect some change.
And Sky Go. Which is frustrating. I want both an open device I control (as much as possible) and to pay for my media legitimately. Stopping me accessing media I've paid for on my rooted device makes me more likely to seek it out elsewhere (I'm already paying for it, god dammit!)
With 4OD and Sky Go it won't be about security/stability - it will be about them worrying that you'll somehow either skip adverts and such and/or have an easy way to permanently download the streams.

The advertising/tracking thing is presumably why 4OD refuses to operate in incognito mode in Chrome (I see no valid more technical reason).

How does one detect incognito mode? I was under the impression it was the same as any other Chrome session except for history and cookies being wiped automatically upon closing the window.
I've never looked into it. I just know it complains if you try use it in that mode (or did last time I tried to run it).
Halifax recently switched from a web app to a native Android app, and made the same restriction (no rooted devices for the native app).
As much as the move is annoying and alienating for the tech-savvy (the same market Barclays are trying to embrace), I can see some logic behind the decision.

The type of person who roots their phone is almost always going to be technologically experienced, or at least idea of dealing with money through technology.

On the other hand, though, Pingit is new technology and is actually scary for some people. When I enabled it in-branch, the advisor was surprised - even she said she'd never trust it!

I imagine that internally for Barclays it's a big move and a sensitive one. A security breach in the early stages would be catastrophic for the service and their brand. They need security, and for that they need stability.

A rooted phone is not a stable environment for Barclays to run their software - it could have been changed in any number of ways. It's a logical decision for them to increase stability by removing the wildcard platforms where they can't be sure what's going on.

What's the threat here? A bad impression because apps might crash on rooted phones? Because that's the only explanation I would buy.

Security? I highly doubt that this can be an issue here and I cannot follow that logic of yours, to be honest.

> I imagine that internally for Barclays it's a big move and a sensitive one. A security breach in the early stages would be catastrophic...

> A rooted phone is not a stable environment for Barclays to run their software - it could have been changed in any number of ways

This means it could be less stable, but I don't see how it would affect the possibility of a "security breach". You are talking about two different kind of issues as if they are related. Could you clarify?

By definition a rooted phone is compromised - a user has obtained root level privileged access. That's what 'rooted' means. The assumption is that it's the phone owner's actions that caused that to happen, but that's not necessarily the case. A third party could have rooted it. A local app exploit could have rooted it. Some clever malware that hasn't even been written yet that somehow escaped Android's security sandbox could have done it.

Ordinarily no one would care if a phone has been rooted or not. It's not important. But the point here is that allowing an app that has access to your bank account to run on a rooted device is assuming that the device was intentionally rooted by it's owner. For a bank that should be assuming far too much.

Actually they can only check for actual user-exposed way of rooting the phone. If there's a way some local app can do it, it doesn't have to expose this functionality - it can do whatever it wants to with it's elevated privileges and not leave a trace behind.

Local app exploit that messes with the bank app only will not be detectable by the bank app.

There's no reason for a clever malware to root your phone. "Rooting" only makes sense if you want to replace 'su' to grant root to different apps. If a malware escalates to root, it can just do whatever it wants, it doesn't have to "root".

Besides, even if the malware really needed to "root" the device, it could just use the same process has RootCloak[1] to hide that fact.

There's no valid security explanation; the app must designed assuming it's running on an insecure system, because there's no way of knowing if the system isn't lying.

[1] http://repo.xposed.info/module/com.devadvance.rootcloak

A third party could have rooted it.

This seem highly unlikely. In fact, I've never heard of it. And, add to that the serious hurdles I had to go through to root all the phones I ever rooted (3).

Your statements amount, to me, to overblown risk.

Sorry, sloppy language. I didn't mean stability in the normal sense - rather, homogeneity of the OS. I think that is connected to security: a rooted OS is more likely than a vanilla OS to cause software to run less predictably (probably mostly deliberate). This creates a definite security risk, and one that will be especially feared by a bank where confidence in its brand is at risk.
Barclays surely has a web app; not sure how a rooted phone is any more unstable/unknown than HTML/Javascript running on an unknown browser client.
The type of person who roots their phone is almost always going to be technologically experienced

Unfortunately, it seems, the opposite is true: Rooting is often one of the "checklist" kind of things that you see on many misled Android forums, and it seems that many users do it...just because.

And now they have a platform that is often significantly more vulnerable.

I completely understand why services would block this -- it fundamentally breaks the protections of the device. Many widely referenced vulnerabilities of Android only apply to rooted devices.

How in the world does it fundamentally break the protections of the device? Your apps don't get root unless you give it to them -- it's the direct equivalent of UAC on Windows or sudo access on Linux.
The idea is that, if a person has a rooted phone, it might have been rooted by someone other than the owner, in which case it's compromised. Also a rooted phone in the hands of an unsophisticated, trusting user is easier to attack and compromise than one not rooted. For a banking establishment with many interconnected devices, these are reasonable concerns.

To see how an apparently trivial peripheral vulnerability can bring down an entire network, look at how Target was successfully attacked, step by step, from the outside in:

http://www.aorato.com/blog/untold-story-target-attack-step-s...

Don't get me wrong. All my Android devices are rooted, but I can see the logic behind the policy.

it's the direct equivalent of UAC on Windows or sudo access on Linux

Indeed, it is. Do most corporate users run with admin accounts? Home users? In both cases, while the answer is unfortunately sometimes yet, it should always be no -- they are one confirmation away from significant peril.

It's none of their business if I do or don't have admin access on my computer. If Barclays came out and said their website would only work on locked-down Chromebooks we'd all recognize it as absurd. It's actually kind of scary how brainwashed we've been in the mobile era into accepting this sort of thing as normal.
The concern is more to do with other apps reading the Barclays app's private data on the phone, which is possible if the other app has root permissions. Without root permissions, the Barclays app data is safe and only readable by itself. In its app data, it is storing some sort of token that can be used to perform actions as the user, and it's only protected by a 5-digit PIN. So, if other apps were able to extract this data, they could brute-force the PIN offline and gain access to the user's account.
Anger mounted .. in November 2013 it seems. The article is that old, the petition from 09/2013.

Maybe it's relevant today, but I don't see any news here and I suggest adding a (2013) tag due to the linked article's age.

Purely technical fix: an app shouldn't be able to tell if the device is rooted unless user grants it root permissions.
In general Android needs a permission fix - it should be possible to deny any app the permissions it requests in such a way that it cannot detect that they have been turned of (and for the user to enable/disable them as it wants). An app that has been denied internet privileges would find that it suddenly can't get a connection no matter when it tries, an app looking into the contacts would find them containing only those it has added or random contacts, etc.

I have been waiting for years for this feature, I can't believe Google hasn't introduced it.

Think about this from your average end users perspective. They somehow manage to revoke permissions for an app, and parts of it stop working. They may not even realize they have revoked permissions, they would likely just assume the app is buggy.

Then they go and contact the developer for support, and make the developer spend a bunch of time troubleshooting why features aren't working.

All a feature like this would do is waste a lot of developer time, and cause users to unhappy with their phone/apps.

There appear to be a couple third party apps that do this: http://www.xda-developers.com/android/protecting-your-privac...

I can see that being the first question any dev would ask.

Also who offers support for a 1 usd app?

If you are rooted, you can get this behaviour by installing the Xposed Framework and then getting the XPrivacy module that is available for it. It allows you to permit/deny any requests for your information, and if you choose to deny them, it'll return empty/fake data (which is configurable).

It feels unreasonable that you have to go to these lengths to get this behaviour that should be built-in, but it's the best available currently.

Another method of getting similar behaviour is to enable the App Ops functionality which is built into Android 4.3 and 4.4, which allows you to enable/disable permissions in a granular fashion. The downside to this method is that if an app tries to use a permission that you have denied it access to, it might crash the app.

Sky's apps are the same. As a Barclays and Sky customer, this is a ball-ache. Barclays I can kind of understand, because progress in British retail banking happens at a snails pace, but I was surprised at Sky crippling their apps in this way.
Sky only do it due to their contracts with the media providers, just like they don't allow airplay. Its not their choice.
Same for the lloyds app. I believe it got ~1k 1-star reviews after that. They included some more stupid changes at the same time, so it's not just rooted phone users, but it's going to be a large number anyway. At least the mobile version of their website still works.
I can completely understand /agree with Barclays decision. I imagine apple will do the same once it's payment system gets properly implemented within iOS.